Setting the Default Process Security Level Using VBScript

A script can use the default WMI authentication and impersonation settings. However, the script may need a connection with more security or may connect to a namespace that requires an encrypted connection. For more information, see Setting Namepace Security Descriptors and Requiring an Encrypted Connection to a Namespace.

In the simplest case, a script can use the default authentication and impersonation settings. WMI normally runs in a shared service host and shares the same authentication as other processes in the host. If you want to run the WMI process with a different level of authentication, run WMI with the winmgmt command with the /standalonehost switch and set the authentication level for WMI generally. For more information, see Maintaining WMI Security.

Windows Server 2003 and Windows XP:  The /standalonehost switch is not available.

The following script uses default settings for impersonation and authentication levels.


strComputer = "." 
Set objServices = GetObject("winmgmts:\\" _
    & strComputer & "\root\CIMV2") 
set objProcessSet = objServices.ExecQuery _
     ("SELECT Name FROM Win32_Process",,48)
For Each Process in objProcessSet
    WScript.Echo Process.Name
Next

You can also use a moniker in a call to GetObject, and set the default security settings, as in the following example.


strComputer = "." 
Set objServices = GetObject( _
    "winmgmts:{impersonationLevel=impersonate," _
    & "authenticationLevel=pktPrivacy}!root/cimv2")
set objProcessSet = objServices.ExecQuery _
     ("SELECT Name FROM Win32_Process",,48)
For Each Process in objProcessSet
    WScript.Echo Process.Name
Next

For more information about setting different impersonation or authentication levels in a script, or for setting the default values for a computer, see the following topics:

Changing the Default Authentication Credentials Using VBScript

You can change the authentication level in a script using a moniker string, and the SWbemLocator and SWbemSecurity objects.

The authentication level must be set according to the requirements of the target operating system to which you are connecting. For more information, see Connecting Between Different Operating Systems.

The following VBScript code example shows how to change the authentication level in a script that obtains the free space data from a remote computer named "Server1".

strComputer = "Server1"
Set objWMIService = GetObject("winmgmts:" _
    & "{authenticationLevel=Pkt}!\\" _
    & strComputer & "\root\cimv2")
Set colDisks = objWMIService.ExecQuery _
    ("Select * from Win32_LogicalDisk")
For each objDisk in colDisks
    Wscript.Echo "DeviceID: " & vbTab & _
        objDisk.DeviceID & vbNewLine & _
        "FreeSpace: " & vbTab & objDisk.FreeSpace 
    NextstrComputer = "." 
    Set objServices = GetObject( _
        "winmgmts:{impersonationLevel=impersonate," _
        & "authenticationLevel=pktPrivacy}!root/cimv2")
    Set objProcessSet = objServices.ExecQuery _
        ("SELECT Name FROM Win32_Process",,48)
    For Each Process in objProcessSet
        WScript.Echo Process.Name
    Next
Next

In script moniker connections to WMI, use the short name shown in the "Moniker name/description" column of the table below. For example, in the following script, the authentication level is set to WbemAuthenticationLevelPktIntegrity.

SetobjWMIService = GetObject( _
    "winmgmts:{authenticationLevel=pktPrivacy}!root\cimv2")

The following table lists the authentication levels you can set. These levels are defined in Wbemdisp.tlb in the enumeration WbemAuthenticationLevelEnum.

Name/valueDescription
WbemAuthenticationLevelDefault

0

Moniker: Default

WMI uses the default Windows authentication setting. This is the recommended setting that allows WMI to negotiate to the level required by the server returning data. However, if the namespace requires encryption, use WbemAuthenticationLevelPktPrivacy.

WbemAuthenticationLevelNone

1

Moniker: None

Uses no authentication.

WbemAuthenticationLevelConnect

2

Moniker: Connect

Authenticates the credentials of the client only when the client establishes a relationship with the server.

WbemAuthenticationLevelCall

3

Call

Authenticates only at the beginning of each call when the server receives the request.

WbemAuthenticationLevelPkt

4

Moniker: Pkt

Authenticates that all data received is from the expected client.

WbemAuthenticationLevelPktIntegrity

5

Moniker: PktIntegrity

Authenticates and verifies that none of the data transferred between client and server has been modified.

WbemAuthenticationLevelPktPrivacy

6

Moniker: PktPrivacy

Authenticates all previous impersonation levels and encrypts the argument value of each remote procedure call. Use this setting if the namespace to which you are connecting requires an encrypted connection.

 

To determine a successful call, check the return value after you change the authentication level.

For example, because local connections always have an authentication level of wbemAuthenticationLevelPktPrivacy, the following example fails to set the authentication level because it connects to the local computer.


strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate," _
    & "authenticationLevel=pktPrivacy}!" _
    & "\\" & strComputer & "\root\cimv2")

A provider can set the security on a namespace so that no data is returned unless you use packet privacy (PktPrivacy) in your connection to that namespace. This ensures that data is encrypted as it crosses the network. If you try to set a lower authentication level, you will get an access denied message. For more information, see Securing WMI Namespaces.

Windows Server 2003 and Windows XP:  Before Windows Server 2003 with Service Pack 1 (SP1), providers could not set namespace security to require encryption before returning data.

Changing the Default Impersonation Levels Using VBScript

When you make calls to the Scripting API for WMI, it is recommended that you use the defaults that WMI provides for the impersonation level. Remote calls and some providers with more than one network hop require a higher impersonation level than WMI uses. If the impersonation level is not sufficient, a provider might refuse a request or provide incomplete information.

If you do not set the impersonation level in either a moniker or by setting SWbemSecurity.ImpersonationLevel on a securable object, then set the default DCOM impersonation level for the operating system. The impersonation level must be set according to the requirements of the target operating system to which you are connecting. For more information, see Connecting Between Different Operating Systems.

The following VBScript code example shows changing the impersonation level in the same script shown above.

strComputer = "Server1"
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=Impersonate}!\\" _
    & strComputer & "\root\cimv2")
Set colDisks = objWMIService.ExecQuery _
    ("Select * from Win32_LogicalDisk")
For each objDisk in colDisks
Wscript.Echo "DeviceID: " & vbTab _
    & objDisk.DeviceID & vbNewLine & _
    "FreeSpace: " & vbTab & objDisk.FreeSpace 
Next

The following table lists the authentication levels in WbemImpersonationLevelEnum that use.

Name/valueDescription
wbemImpersonationLevelAnonymous

1

Moniker: Anonymous

Hides the credentials of the caller. Calls to WMI may fail with this impersonation level.

wbemImpersonationLevelIdentify

2

Moniker: Identify

Allows objects to query the credentials of the caller. Calls to WMI may fail with this impersonation level.

wbemImpersonationLevelImpersonate

3

Moniker: Impersonate

Allows objects to use the credentials of the caller. This is the recommended impersonation level for Scripting API for WMI calls.

wbemImpersonationLevelDelegate

4

Moniker: Delegate

Allows objects to permit other objects to use the credentials of the caller. This impersonation will work with Scripting API for WMI calls but may constitute an unnecessary security risk.

 

The following example shows how to set the impersonation in a moniker string when obtaining a specific instance of Win32_Process.

Set object = GetObject( _
    "winmgmts:{impersonationLevel=impersonate}" _
    & "!root\cimv2:Win32_Process.Handle='0'")

For more information, see Creating a WMI Application or Script.

Setting the Default Impersonation Level Using the Registry

If you have access to the registry, you can also set the default impersonation level registry key. This key specifies which impersonation level the Scripting API for WMI uses unless otherwise specified. The following path identifies the registry path.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Impersonation Level

By default, the registry key is set to 3, specifying the Impersonate impersonation level. Some providers may require a higher level of impersonation.

Accessing the SWbemSecurity Object in VBScript

The other way you can set the impersonation level is from the SWbemSecurity security object, which appears as the Security_ property of the SWbemServices, SWbemObject, SWbemObjectSet, SWbemEventSource, SWbemObjectPath, and SwbemLocator objects.

WMI passes the security setting of a parent object to the descendants of the original object. Therefore, you can set the impersonation level of an SWbemServices object after logging on to WMI and API calls using this object or objects created from it, such as objects of type SWbemObject.

Related topics

Connecting to WMI on a Remote Computer
Securing Scripting Clients

 

 

Show:
© 2014 Microsoft. All rights reserved.